CANAL+ Le Cube REMOTING SCRIPTS v1.0

download: Le-Cube-CanalPlus-crack-v1.0.tar.gz

------------------------------------------------------------

WHAT-IS-IT

This package contains UPnP scripts that you may use for automation of your Canal Plus set-top box.
It also contains a brute-force tool that can pair with the box without knowing the 4 digits secret.

HOW-IT-WORKS

These short scripts let you access the UPnP services offered by the Canal Plus set-top box named "+Le Cube" or "Le cube Canal +", without having previously paired with the device. These package also includes scripts to change the volume and select channels by means of SOAP UPnP services.

These scripts make use of the following Security flaw:
- when requesting to pair with the device, you send a UPnP SOAP message containing a unique user identifier (uuid), then the box chooses a number between 0000 and 9999 and waits for a SOAP message containing both this identifier and your uuid;
- the number is displayed on the box screen only during 30 seconds, to make sure you are the owner of the box;
- but the device will accept any number of attempts even after the screen is cleared.

So, these scripts use brute-force to pair to the box.

HOW-TO-RUN-THE-CRACK

Before running the brute-force attack, you need to fill the ip.txt file with the name or IP address of the set-top box.
You may change the default uuid ("www.fenyo.net") used by these scripts to pair with the box: just fill uuid.txt with your preferred id.
Then run "make crack" or "./crack.sh" and wait about 5 to 10 minutes.

DETAILED INSTRUCTIONS

First, set the box IP:
    % echo 192.168.0.55 > ip.txt
Then, choose a uuid:
    % echo my.personal.uuid > uuid.txt
Now, run the brute force attack:
    % make crack
    ./crack.sh
    trying pairing code 0000
    trying pairing code 0001
    trying pairing code 0002
    trying pairing code 0003
    trying pairing code 0004
    [...]
    trying pairing code 5209
    cracked: uuid my.personal.uuid is now registered
    END.
Check that you are correctly paired with the box, getting the volume level of the box:
    % ./getVolumeState.sh
    50
Now, update the channel list (the list is saved in channel-list.txt; it is made of two columns separated with a '#', the former contains the channel id and the latter is the channel name):
    % ./update-channels.sh 
    20fa.5.501#TF1 HD
    20fa.5.502#FRANCE 2 HD
    20fa.1.111#FRANCE 3
    20fa.3.301#CANAL+
    20fa.1.104#FRANCE 5
    [...]
    3e7.3e7.63#MES VIDEOS
    3e7.3e7.64#CANAL+ à la Demande
    3e7.3e7.65#CANALPLAY
    3e7.3e7.66#M6 Replay
You can now select any channel you want (you just need to call setChannel.sh with a parameter that is a substring of the channel name that uniquely identifies this channel).
For instance, to select 'France 2 HD', just enter:
    % ./setChannel.sh 'FRANCE 2'
Or to select CANAL+, you can enter:
    % ./setChannel.sh CANAL
Finally, you can change the volume calling setVolumeLevel.sh with a parameter between 0 and 100:
    % ./setVolumeLevel.sh 50
   
    ------------------------------------------------------------
    
    Alexandre Fenyo
    www.fenyo.net
    2013